Set release repo context without checkout

[Fieldnote-Echo]

Summary:

• Set GH_REPO for no-checkout gh release upload/edit steps in release.yml.
• Pin the repo-context requirement in release_signed_release_invariants.sh.

Why:

• The v0.3.0 release run generated all artifacts and provenance successfully, then failed in release-assets-draft because gh release upload ran in a no-checkout job and tried to infer a git repository.

Validation:

• bash tests/release_signed_release_invariants.sh
• bash tests/release_publish_invariants.sh
• git diff --check

Recovery after merge:

• Delete the failed draft v0.3.0 release and recreate the signed v0.3.0 tag at the fixed main commit, then approve the crates-io and pypi environments in the rerun.

[qodo-code-review]

Review Summary by Qodo

Set GH_REPO context for no-checkout release workflow jobs

🐞 Bug fix 🧪 Tests

Walkthroughs

Description

• Add GH_REPO environment variable to release workflow jobs
• Fixes gh release upload/edit failures in no-checkout jobs
• Add validation tests for GH_REPO context in release invariants

Diagram

flowchart LR
  A["release.yml<br/>no-checkout jobs"] -->|"missing GH_REPO"| B["gh release upload/edit<br/>fails to infer repo"]
  C["Add GH_REPO env var<br/>to release-assets-draft<br/>and publish-github-release"] -->|"explicit repo context"| D["gh commands<br/>work without checkout"]
  E["release_signed_release_invariants.sh<br/>validation tests"] -->|"verify GH_REPO set"| F["ensure fix<br/>is maintained"]

Loading

File Changes

1. .github/workflows/release.yml 🐞 Bug fix +2/-0

Add GH_REPO environment variable to release jobs

• Add GH_REPO: ${{ github.repository }} environment variable to release-assets-draft job
• Add GH_REPO: ${{ github.repository }} environment variable to publish-github-release job
• Provides explicit repository context for gh CLI commands in no-checkout jobs

.github/workflows/release.yml

---

2. tests/release_signed_release_invariants.sh 🧪 Tests +4/-0

Add GH_REPO validation tests to release invariants

• Add validation check that release-assets-draft job sets GH_REPO: ${{ github.repository }}
• Add validation check that publish-github-release job sets GH_REPO: ${{ github.repository }}
• Ensures gh release commands have explicit repo context in no-checkout environments

tests/release_signed_release_invariants.sh

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Brittle GH_REPO invariant 🐞 Bug ⚙ Maintainability

Description

tests/release_signed_release_invariants.sh now enforces an exact textual match for `GH_REPO: ${{
github.repository }} (including the ${{ ... }}` internal spacing and lack of quotes), so
semantically-equivalent workflow YAML will fail CI even though it behaves the same. This increases
maintenance friction by turning harmless formatting changes (e.g., `GH_REPO:
"${{github.repository}}"`) into test failures.

Code

tests/release_signed_release_invariants.sh[R86-87]

Evidence

The new invariant checks use a strict, fully-anchored regex for the exact literal `${{
github.repository }}` formatting; this is stricter than necessary to validate the requirement that
GH_REPO is set, and will fail if the workflow uses equivalent quoting/spacing. The workflow itself
contains the checked line, so the invariant is purely enforcing source formatting rather than
runtime behavior.

tests/release_signed_release_invariants.sh[81-87]
tests/release_signed_release_invariants.sh[187-191]
.github/workflows/release.yml[531-537]
.github/workflows/release.yml[739-744]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The signed-release invariant test matches `GH_REPO` with a regex that requires a very specific formatting of the GitHub Actions expression (`${{ github.repository }}` with internal spaces and no quotes). This can fail CI for future, semantically-equivalent YAML edits (quoting, spacing, templating style), even though the workflow still sets `GH_REPO` correctly.

## Issue Context
These invariants are structural (grep-based) checks of `.github/workflows/release.yml`, so they should be strict about *presence/meaning* but avoid unnecessary coupling to formatting details.

## Fix Focus Areas
- tests/release_signed_release_invariants.sh[86-87]
- tests/release_signed_release_invariants.sh[190-191]

## Suggested change
Update the regex to accept common equivalent forms, e.g. optional quotes and optional whitespace inside the `${{ ... }}` expression:

```bash
grep -qE '^[[:space:]]+GH_REPO:[[:space:]]*"?\$\{\{[[:space:]]*github\.repository[[:space:]]*\}\}"?[[:space:]]*$'
```

(or alternatively check for `GH_REPO:` and `github.repository` on the same line without pinning the exact whitespace).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request updates the tests/release_signed_release_invariants.sh script to ensure that both the release-assets-draft and publish-github-release jobs explicitly define the GH_REPO environment variable. The reviewer noted that the regular expressions used to validate this environment variable have issues with inconsistent curly brace escaping, strict spacing, and missing support for optional double quotes. Robust regex suggestions were provided to address these portability and flexibility concerns.